Category Archives: DATA ACCESS & STORAGE

Wealth and influence in the technology business have always been about gaining the upper hand in software or the machines that software ran on.

Now data – gathered in those immense pools of information that are at the heart of everything from artificial intelligence to online shopping recommendations – is increasingly a focus of technology competition. And academics and some policymakers, especially in Europe, are considering whether big internet companies like Google and Facebook might use their data resources as a barrier to new entrants and innovation.

A Google data centre in Oklahoma. A new Google business offering — still in the test, or alpha, stage — is a software service to improve job finding and recruiting. Photo: NYT

In recent years, Google, Facebook, Apple, Amazon and Microsoft have all been targets of tax evasion, privacy or antitrust investigations. But in the coming years, who controls what data could be the next worldwide regulatory focus as governments strain to understand and sometimes rein in US tech giants.

The European Commission and the British House of Lords both issued reports last year on digital “platform” companies that highlighted the essential role that data collection, analysis and distribution play in creating and shaping markets. And the Organisation for Economic Cooperation and Development held a meeting in November to explore the subject, “Big Data: Bringing Competition Policy to the Digital Era.”

As government regulators dig into this new era of data competition, they may find that standard antitrust arguments are not so easy to make. Using more and more data to improve a service for users and more accurately target ads for merchants is a clear benefit, for example. And higher prices for consumers are not present with free internet services.

“You certainly don’t want to punish companies because of what they might do,” said Annabelle Gawer, a professor of the digital economy at the University of Surrey in England, who made a presentation at the Organisation for Economic Co-operation and Development meeting. “But you do need to be vigilant. It’s clear that enormous power is in the hands of a few companies.”

Maurice Stucke, a former Justice Department antitrust official and a professor at the University of Tennessee College of Law, who also spoke at the gathering, said one danger was that consumers might be afforded less privacy than they would choose in a more competitive market.

ooo

The competition concerns echo those that gradually emerged in the 1990s about software and Microsoft. The worry is that as the big internet companies attract more users and advertisers, and gather more data, a powerful “network effect” effectively prevents users and advertisers from moving away from a dominant digital platform, like Google in search or Facebook in consumer social networks.

Evidence of the rising importance of data can be seen from the frontiers of artificial intelligence to mainstream business software. And certain data sets can be remarkably valuable for companies working on those technologies.

A prime example is Microsoft’s purchase of LinkedIn, the business social network, for $US26.2 billion last year. LinkedIn has about 467 million members, and it houses their profiles and maps their connections.

Microsoft is betting LinkedIn, combined with data on how hundreds of millions of workers use its Office 365 online software, and consumer data from search behaviour on Bing, will “power a set of insights that we think is unprecedented,” said James Phillips, vice president for business applications at Microsoft.

In an email to employees, Satya Nadella, Microsoft’s chief executive, described the LinkedIn deal as a linchpin in the company’s long-term goal to “reinvent productivity and business processes” and to become the digital marketplace that defines “how people find jobs, build skills, sell, market and get work done.”

IBM has also bet heavily on data for its future. Its acquisitions have tended to be in specific industries, like its $US2.6 billion purchase last year of Truven Health, which has data on the cost and treatment of more than 200 million patients, or in specialised data sets useful across several industries, like its $US2 billion acquisition of the digital assets of Weather Co.

IBM estimates that 70 per cent of the world’s data is not out on the public web, but in private databases, often to protect privacy or trade secrets. IBM’s strategy is to take the data it has acquired, add customer data and use that to train its Watson artificial intelligence software to pursue such tasks as helping medical researchers discover novel disease therapies, or flagging suspect financial transactions for independent auditors.

“Our focus is mainly on non-public data sets and extending that advantage for clients in business and science,” said David Kenny, senior vice president for IBM’s Watson and cloud businesses.

At Google, the company’s drive into cloud-delivered business software is fuelled by data, building on years of work done on its search and other consumer services, and its recent advances in image identification, speech recognition and language translation.

For example, a new Google business offering – still in the test, or alpha, stage – is a software service to improve job finding and recruiting. Its data includes more than 17 million online job postings and the public profiles and résumés of more than 200 million people.

Its machine-learning algorithms distilled that to about 4 million unique job titles, ranked the most common ones and identified specific skills. The job sites CareerBuilder and Dice are using the Google technology to show job seekers more relevant openings. And FedEx, the giant package shipper, is adding the service to its recruiting site.

That is just one case, said Diane Greene, senior vice president for Google’s cloud business, of what is becoming increasingly possible – using the tools of artificial intelligence, notably machine learning, to sift through huge quantities of data to provide machine-curated data services.

“You can turn this technology to whatever field you want, from manufacturing to medicine,” Greene said.

Fei-Fei Li, director of the Stanford Artificial Intelligence Laboratory, is taking a sabbatical to become chief scientist for artificial intelligence at Google’s cloud unit. She sees working at Google as one path to pursue her career ambition to “democratise AI,” now that the software and data ingredients are ripe.

“We wouldn’t have the current era of AI without the big data revolution,” Li said. “It’s the digital gold.”

In the AI race, better software algorithms can put you ahead for a year or so, but probably no more, said Andrew Ng, a former Google scientist and adjunct professor at Stanford. He is now chief scientist at Baidu, the Chinese internet search giant, and a leading figure in artificial intelligence research.

Wealth and influence in the technology business have always been about gaining the upper hand in software or the machines that software ran on.

Now data – gathered in those immense pools of information that are at the heart of everything from artificial intelligence to online shopping recommendations – is increasingly a focus of technology competition. And academics and some policymakers, especially in Europe, are considering whether big internet companies like Google and Facebook might use their data resources as a barrier to new entrants and innovation.

A Google data centre in Oklahoma. A new Google business offering — still in the test, or alpha, stage — is a software service to improve job finding and recruiting. Photo: NYT

In recent years, Google, Facebook, Apple, Amazon and Microsoft have all been targets of tax evasion, privacy or antitrust investigations. But in the coming years, who controls what data could be the next worldwide regulatory focus as governments strain to understand and sometimes rein in US tech giants.

The European Commission and the British House of Lords both issued reports last year on digital “platform” companies that highlighted the essential role that data collection, analysis and distribution play in creating and shaping markets. And the Organisation for Economic Cooperation and Development held a meeting in November to explore the subject, “Big Data: Bringing Competition Policy to the Digital Era.”

As government regulators dig into this new era of data competition, they may find that standard antitrust arguments are not so easy to make. Using more and more data to improve a service for users and more accurately target ads for merchants is a clear benefit, for example. And higher prices for consumers are not present with free internet services.

“You certainly don’t want to punish companies because of what they might do,” said Annabelle Gawer, a professor of the digital economy at the University of Surrey in England, who made a presentation at the Organisation for Economic Co-operation and Development meeting. “But you do need to be vigilant. It’s clear that enormous power is in the hands of a few companies.”

Maurice Stucke, a former Justice Department antitrust official and a professor at the University of Tennessee College of Law, who also spoke at the gathering, said one danger was that consumers might be afforded less privacy than they would choose in a more competitive market.

The competition concerns echo those that gradually emerged in the 1990s about software and Microsoft. The worry is that as the big internet companies attract more users and advertisers, and gather more data, a powerful “network effect” effectively prevents users and advertisers from moving away from a dominant digital platform, like Google in search or Facebook in consumer social networks.

Evidence of the rising importance of data can be seen from the frontiers of artificial intelligence to mainstream business software. And certain data sets can be remarkably valuable for companies working on those technologies.

A prime example is Microsoft’s purchase of LinkedIn, the business social network, for $US26.2 billion last year. LinkedIn has about 467 million members, and it houses their profiles and maps their connections.

Microsoft is betting LinkedIn, combined with data on how hundreds of millions of workers use its Office 365 online software, and consumer data from search behaviour on Bing, will “power a set of insights that we think is unprecedented,” said James Phillips, vice president for business applications at Microsoft.

In an email to employees, Satya Nadella, Microsoft’s chief executive, described the LinkedIn deal as a linchpin in the company’s long-term goal to “reinvent productivity and business processes” and to become the digital marketplace that defines “how people find jobs, build skills, sell, market and get work done.”

IBM has also bet heavily on data for its future. Its acquisitions have tended to be in specific industries, like its $US2.6 billion purchase last year of Truven Health, which has data on the cost and treatment of more than 200 million patients, or in specialised data sets useful across several industries, like its $US2 billion acquisition of the digital assets of Weather Co.

IBM estimates that 70 per cent of the world’s data is not out on the public web, but in private databases, often to protect privacy or trade secrets. IBM’s strategy is to take the data it has acquired, add customer data and use that to train its Watson artificial intelligence software to pursue such tasks as helping medical researchers discover novel disease therapies, or flagging suspect financial transactions for independent auditors.

“Our focus is mainly on non-public data sets and extending that advantage for clients in business and science,” said David Kenny, senior vice president for IBM’s Watson and cloud businesses.

At Google, the company’s drive into cloud-delivered business software is fuelled by data, building on years of work done on its search and other consumer services, and its recent advances in image identification, speech recognition and language translation.

For example, a new Google business offering – still in the test, or alpha, stage – is a software service to improve job finding and recruiting. Its data includes more than 17 million online job postings and the public profiles and résumés of more than 200 million people.

Its machine-learning algorithms distilled that to about 4 million unique job titles, ranked the most common ones and identified specific skills. The job sites CareerBuilder and Dice are using the Google technology to show job seekers more relevant openings. And FedEx, the giant package shipper, is adding the service to its recruiting site.

That is just one case, said Diane Greene, senior vice president for Google’s cloud business, of what is becoming increasingly possible – using the tools of artificial intelligence, notably machine learning, to sift through huge quantities of data to provide machine-curated data services.

“You can turn this technology to whatever field you want, from manufacturing to medicine,” Greene said.

Fei-Fei Li, director of the Stanford Artificial Intelligence Laboratory, is taking a sabbatical to become chief scientist for artificial intelligence at Google’s cloud unit. She sees working at Google as one path to pursue her career ambition to “democratise AI,” now that the software and data ingredients are ripe.

“We wouldn’t have the current era of AI without the big data revolution,” Li said. “It’s the digital gold.”

In the AI race, better software algorithms can put you ahead for a year or so, but probably no more, said Andrew Ng, a former Google scientist and adjunct professor at Stanford. He is now chief scientist at Baidu, the Chinese internet search giant, and a leading figure in artificial intelligence research.

The private lives of half a million Australians – including sexual and medical histories – have been made public in what could be one of the country’s largest data breaches.

Australian Red Cross Blood Service staff are contacting more than 550,000 blood donors whose personal information was contained in a file accidentally placed on an unsecured, public-facing part of their website.

Massive Red Cross breach

A file containing the details of over 550,000 Red Cross blood donors and donor applicants has been leaked. Courtesy ABC News 24.

The information relates to donors from 2010 to 2016 and includes names, addresses and dates of birth as well as sensitive donation eligibility questions concerning sexual activity, drug use, weight and medical conditions.

The Australian Privacy Commissioner will launch an investigation and a human rights lawyer says those affected may be able to make a claim for damages.

The breach of data comes from the Australian Red Cross Blood Service and dates back to 2010. Photo: Dallas Kilponen

A text message sent to people potentially affected by the Red Cross data breach. Photo: Supplied

Red Cross Blood Service chief executive Shelly Park blamed human error by a contractor running the organisation’s website for the breach but said the information was considered to have a low risk of direct misuse in the future.

The data was available online since early September and is believed to have been accessed on Monday, October 24.

Investigations are continuing and the Australian Federal Police and Australian Cyber Security Centre have been informed of the breach.

“On October 26, we learnt that a file, containing donor information,which was located on a development website, was left unsecured by a contracted third party who develops and maintains our website,” Ms Park said.

“The issue occurred due to human error. Consequently, this file was accessed by a person outside of our organisation.”

Ms Park said the organisation had engaged cyber security experts to investigate how it was “caught out” and was in the process of notifying donors affected.

Donors affected have been warned there is an increased risk to their online security and that they should be on the look out for phone and email scams.

“We are extremely sorry. We are deeply disappointed to have put our donors in this position,” Ms Park said.

His name, email, gender, date of birth, phone number and date of last donation were disclosed in the file.

This was also the case with his wife, whose file also contained her blood type and their home address.

“The database backup was published to a publicly facing website. This is really the heart of the problem because no way, no how should that ever happen,” he wrote in a blog post.

Mr Hunt said he had deleted his copy of the information and the person who gave it to him had agreed to do the same. The Red Cross said, to their knowledge, “all known copies of the data have been deleted”.

Some exposed data could contain the highly sensitive eligibility questions, including: “In the last 12 months, have you engaged in any at-risk sexual behaviour?”

ooo

Donors are also asked if they have ever injected recreational drugs, are on antibiotics, if they are under or overweight and if they have undergone any surgical procedures.

Australian Privacy Commissioner Timothy Pilgrim announced a probe into the breach on Friday afternoon.

“I will be opening an investigation into this matter and will work with the Red Cross to assist them in addressing the issues arising from this incident.

“The results of that investigation will be made public at its conclusion,” he said in a statement.

“My office encourages voluntary notification of data breaches, particularly where there is a risk to an individual as a result of a breach.”

Human Rights lawyer George Newhouse said the privacy commissioner had the power to order damages and apologies.

Adjunct Professor Newhouse also said his office was considering mounting legal action for those affected.

“We’re looking into a class action on behalf of those who have had their data unlawfully accessed,” he said.

“On the basis that they’ve had their privacy breached.”

Even basic personal information could lead to identity fraud but it was worse for anyone who’s sexual or medical history had been compromised, he said.

“This is highly sensitive personal information that could cause enormous embarrassment to people in their personal and work lives. This incident highlights how vulnerable organisations and individuals are to unauthorised access.”

A Health Department spokeswoman said she was confident the blood service would recover.

“The ARCBS is a long-standing institution who are charged with ensuring a viable donor base, safe collection, processing and distribution of blood and blood products,” she said.

“We are confident that the ARCBS will be able to recover from this incident, build the confidence of the donor base and ensure that the safety and security of their systems are robust and compliant with privacy and confidentiality requirements.”

The AFP and the Australian Cyber Security Centre referred questions about their involvement to the Health Department.

Yahoo is the latest company to be embroiled in what is thought to be one of the largest cybersecurity breaches ever.

As data becomes more precious, especially to brands and publishers who are constantly trying to sift through the information to find pertinent monetisation strategies and more personalised user advertising, data security and privacy fears are already at an all time high.

Which is why a recent investigation by Yahoo, which confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by a “state-sponsored actor”, is nothing short of a PR nightmare.

It is becoming harder for brands and publishers to stay ahead of the ever-evolving online threats.

Based on the ongoing investigation, Yahoo say it believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is ‘currently’ in Yahoo’s network.

It’s working closely with law enforcement on this matter and the account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.

“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected,” a Yahoo spokesperson says.

It says it is notifying potentially affected users and is asking those who may be affected to change their passwords and adopt alternate means of account verification.

It recommends that all users who haven’t changed their passwords since 2014 to do this immediately and consider using Yahoo Account Key – an authentication tool that eliminates the need to use a password altogether.

“An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries,” a Yahoo spokesperson says.

“Through strategic proactive detection initiatives and active response to unauthorised access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.”

The sun peaks over the New York Times Building in New York August 14, 2013. REUTERS/Brendan McDermid

The New York Times said on Tuesday its Moscow bureau was targeted by a cyber attack this month but that there was no evidence the hackers, believed to be Russian, were successful.

“We are constantly monitoring our systems with the latest available intelligence and tools,” Times spokeswoman Eileen Murphy told the newspaper. “We have seen no evidence that any of our internal systems, including our systems in the Moscow bureau, have been breached or compromised.”

Earlier on Tuesday, CNN, citing unnamed U.S. officials, reported that the Federal Bureau of Investigation and other U.S. security agencies were investigating cyber breaches targeting reporters at the Times and other U.S. news organizations that were thought to have been carried out by hackers working for Russian intelligence.

“Investigators so far believe that Russian intelligence is likely behind the attacks and that Russian hackers are targeting news organizations as part of a broader series of hacks that also have focused on Democratic Party organizations, the officials said,” CNN reported.

The FBI declined a Reuters’ request for comment. Representatives for the U.S. Secret Service, which has a role in protecting the country from cyber crime, did not reply to a request for comment.

A government official briefed on the inquiry told the Times the FBI was looking into the attempted cyber attack but was not carrying out similar investigations at other news organizations.

The Times had not hired outside firms to investigate the attempted intrusion, contrary to the CNN report, Murphy said.

News of the cyber attack comes amid a wave of similar attacks targeting major U.S. political parties that have surfaced in recent weeks ahead of the Nov. 8 presidential election.

The Democratic National Committee, Democratic presidential nominee Hillary Clinton’s campaign and the party’s congressional fundraising committee have all been affected.

Hackers have also targeted the computer systems of Republican presidential nominee Donald Trump and Republican Party organizations, sources have told Reuters.

A breach at the Times would not be the first time foreign hackers infiltrated a news organization. Media are frequently targeted in order to glean insights into U.S. policies or to spy on journalists.

In 2013, a group of hackers known as the Syrian Electronic Army attacked the Times and other media outlets. Chinese attackers also infiltrated the Times that year.

(Reporting by Dustin Volz, John Walcott, Mohammad Zargham and Eric Walsh in Washington, and Jessica Toonkel in New York; Writing by Susan Heavey and Eric Walsh; Editing by Frances Kerry and Peter Cooney

Joint investigation by the Australian and Canadian privacy commissioners finds infidelity website fabricated security qualifications, was storing passwords in plain text.

AshleyMadison used inadequate privacy and security technology while marketing itself as a discreet and secure way for consenting adults to have affairs, the Office of the Privacy Commissioner of Canada says.

In a report Tuesday, the privacy watchdog says the Toronto-based company violated numerous privacy laws in Canada and abroad in the era before a massive data breach exposed confidential information from their clients to hackers.

The hack stole correspondence, identifying details and even credit card information from millions of the site’s users. At the time of the breach in July 2015, AshleyMadison claimed to have 36 million users and took in more than $100 million in annual revenue.

The resulting scandal cost the company about a quarter of its annual revenues from irate customers who demanded refunds and cancelled their accounts.

Working with a similar agency in Australia, the privacy group says the company knew that its security protocols were lacking but didn’t do enough to guard against being hacked. The company even adorned its website with the logo of a “trusted security award” — a claim the company admits it fabricated.

The company also inappropriately retained some personal information after profiles had been deactivated or deleted by users and did not adequately ensure the accuracy of customer email addresses, the report said. This meant that some people who had never signed up for Ashley Madison were included in databases published online after the hack, it said.

“Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable,” privacy commissioner Daniel Therrien said in a statement. “This is an important lesson all organizations can draw from the investigation.”

The company co-operated with the privacy watchdog’s investigation and has agreed to a compliance agreement. That means if it is found later to have ignored any of the report’s recommendations, it could be held liable in court.

“The company continues to make significant, ongoing investments in privacy and security to address the constantly evolving threats facing online businesses. These investments are the cornerstone of rebuilding consumer trust over the long term,” company CEO Rob Segal said in a statement.

They used the names and addresses on census forms to link the census answers to department of immigration records, to school enrolment records and to the Australian Early Development Index.

The names were destroyed only after the records were linked.

Separately, and without asking for consent, the Bureau has been tracking five per cent of the population (more than one million people) through what it calls the Australian Census Longitudinal Dataset.

It has been using the names on the forms to create “linkage keys”, which enable it to follow respondents over time. Each census, the same name produces the same linkage key, enabling movements to be tracked. Once each key has been created, the name itself has been destroyed. It is impossible to reverse-engineer a key to derive the name.

“In 2016, I have decided to keep names and addresses for longer,” Mr Kalisch writes in today’s Sydney Morning Herald and Age. “This will enable the ABS to produce statistics on important economic and social areas such as educational outcomes, and measuring outcomes for migrants.”

Labelled by former Australian Statistician Bill McLennan “the most significant invasion of privacy ever perpetrated on Australians by the ABS,” the decision will formalise what was happening informally before Mr Kalisch joined the ABS in 2014. It will extend the period for research using names from 18 months to four years. All names collected will be deleted by August 2020 or when studies have been completed, whichever is the soonest.

“There are extremely robust safeguards in place to protect the privacy and confidentiality of the information collected in the census, including names and addresses,” Mr Kalisch writes in today’s Fairfax Media publications. “The ABS never has and never will release identifiable census data.”

Kat Lane, vice-chair of the Australian Privacy Foundation, said the real issue wasn’t the ABS security system. It was that there was no justification for tracking or personally identifying Australians.

These so-called “trusted third-parties” may be the most important tech companies you’ve never heard of. ZDNet reveals how these companies work as middlemen or “brokers” of customer data between ISPs and phone companies, and the U.S. government.

NEW YORK — Picture two federal agents knocking at your door, ready to serve you a top secret order from the U.S. government, demanding that you hand over every shred of data you own — from usernames and passwords, phone records, emails, and social networking and credit card data.

You can’t tell anyone, and your only viable option is to comply.

For some U.S. Internet service providers (ISP) and phone companies, this scenario happens — and often. Just one ISP hit by a broad-ranging warrant has the potential to affect the privacy of millions of Americans.

But when one Atlanta, Georgia-based Internet provider was served a top-secret data request, there wasn’t a suited-and-booted federal agent in sight.

Why? Because the order was served on a so-called “trusted third-party,” which handles the request, served fresh from the secretive Washington D.C.-based Foreign Intelligence Surveillance (FISA) Court. With permission from their ISP customers, these third-parties discreetly wiretap their networks at the behest of law enforcement agencies, like the Federal Bureau of Investigation (FBI), and even intelligence agencies like the National Security Agency (NSA).

By implementing these government data requests with precision and accuracy, trusted third-parties — like Neustar, Subsentio, and Yaana — can turn reasonable profits for their services.

Little is known about these types of companies, which act as outsourced data brokers between small and major U.S. ISPs and phone companies, and the federal government. Under the 1994 law, the Communications Assistance for Law Enforcement Act (CALEA), any company considered a “communications provider” has to allow government agencies access when a valid court order is served. No matter how big or small, even companies whose legal and financial resources are limited do not escape federal wiretapping laws.

On a typical day, these trusted third-parties can handle anything from subpoenas to search warrants and court orders, demanding the transfer of a person’s data to law enforcement. They are also cleared to work with classified and highly secretive FISA warrants. A single FISA order can be wide enough to force a company to turn over its entire store of customer data.

For Cbeyond, a Nasdaq stock exchange-listed ISP based in Atlanta, Georgia, data requests can be put almost entirely out of mind. The company generates more than $450 million in revenue each year and serves more than 50,000 business customers — primarily small to medium-sized companies — in more than a dozen U.S. states.

The ISP’s legal resources are razor thin, according to an executive at the company, who did not want to be named for the story. As a result, the company does not always directly handle government data requests.

The company outsources a good portion of its legal and compliance responsibilities to Neustar, which bought its way into the wiretapping business following its 2005 acquisition of compliance firm, Fiducianet.

Cbeyond can receive as many as five to ten subpoenas per week. These data requests are regularly forwarded to Neustar, which acts as the ISP’s “custodian of records.” They are validated, and — more often than not — data is handed over to the requesting law enforcement agency.

But on the rare occasion Cbeyond receives a top-secret FISA warrant — two per year on average, according to a senior staffer, who has direct knowledge of the matter, Neustar pulls the data from the ISPs networks and hands it to the requesting government agency.

These warrants can allow the FBI or the NSA to collect an unknown but potentially limitless amount of data on millions of Americans and foreigners.

“Hidden, but not visible”

Created by its namesake law, the Foreign Intelligence Surveillance Act in 1978, the FISA Court issues more than a thousand classified warrants a year for Americans’ data. One former NSA analyst likened it to a “kangaroo court with a rubber stamp,” as it keeps very few records, of which many are kept in the utmost secrecy and away from public scrutiny.

Only documents leaked by former U.S. intelligence contractor Edward Snowden have helped lift the lid on the shadowy world of these secret so-called FISA warrants. Signed off by the court, these warrants give the FBI and the NSA wide-ranging access to American data, in spite of Fourth Amendment protections designed to protect against overreaching domestic government surveillance.

The first classified document leaked by the former U.S. government contractor showed how the Obama administration forced Verizon to turn over its entire store of metadata on a rolling basis to the NSA.

When these secretive FISA orders are issued, there is little indication to Cbeyond, or any other local or major ISP or phone company, what the requested data may be used for. It could be for a terrorism case, or it could be a small part of an undisclosed NSA program. That also poses a problem for the companies wanting to fight back — and some companies have found the process notoriously difficult — not least because it requires an attorney with top-secret security clearance.

One of those attorneys, who declined to be named for the story because the person holds top-secret security clearance, explained that although hundreds of lawyers have the same clearance — including those serving terror suspects in Guantanamo Bay — very few have been in front of the FISA Court to defend their clients. These clearance-holding lawyers have been in high demand over the past year representing major Silicon Valley companies implicated in the NSA’s surveillance programs.

For the majority of smaller companies (as well as larger ones, who have refused to comment on challenging such warrants), complying with data demands may be their only option. The vast majority, however, do not have the resources to handle such requests.

“If they don’t have an internal lawyer [reviewing FISA warrants], they could use a third-party service. That third-party can’t provide legal advice, but it can create a system for reviewing the data, pulling, and processing the data,” the security clearance-holding attorney said

Enter the trusted third-party, which facilitates the data request between the two.

Neustar’s business is wide-ranging. Many industry insiders know it as a phone number portability company and the owner of top-level domain names. But its dedicated — and widely-unknown — legal and compliance division, dubbed “fiduciary” services, handles subpoenas and warrants on behalf of their customers, provides technical assistance in the lawful interception of data, and the services to carry out the surveillance demanded by the court or law enforcement agency.

“It’s not hidden, but not visible,” according to a former Neustar executive who worked in the division and who declined to be named, because the customers whose activities the division supports are ones that customers “don’t publicize very much.” These services are stigmatized particularly in the wake of the Snowden disclosures. The person said that ordinary people do not want to know that their data is up for grabs.

BuzzFeed in 2012 profiled Neustar in some depth, disclosing the scope of its legal intercept unit. The piece led the company to disclose for the first time transparency figures (more on that later).

Neustar works primarily for small to medium-sized businesses. The company said two years ago that it serves about 400 of the “thousands” of U.S. phone companies — including smaller firms like Cbeyond and Grande Communications, but also larger firms like Bright House Networks, and also Cricket, which disclosed its relationship with Neustar to Congress in May 2012 — to handle and respond to the court orders they receive. Neustar does not always act as the first go-to point for its customers.

The fiduciary division can also be held on reserve as an “overflow” in cases where its larger corporate giants may be inundated with more demands for data than usual, the former Neustar executive said.

To the degree that the company performs overflow functions for companies such as Verizon, Neustar chief privacy officer and deputy general counsel Becky Burr explained, it is “only non-criminal information,” such as civil subpoenas, often generated in bitter divorce and custody disputes.

Neustar data request figures

Neustar transparency report (August 28, 2014)

Order type

2012

2013

2014*

Administrative subpoena

19,236

28,941

16,315

Other subpoenas

10,615

9,274

3,956

Total subpoenas

29,851

38,215

20,271

Exigent circumstances

2,793

3,131

1,164

PSAP** Emergency — 911

11,368

11,041

4,638

Total emergency

14,161

14,172

5,802

Tower search

1

114

132

Court order

7,778

8,375

3,609

Search warrant

1,538

1,956

971

Total court order

9,317

10,445

4,712

Criminal — full contents

307

332

163

Criminal — pen/trap

1,971

2,596

1,249

Total intercepts

2,278

2,928

1,412

NSL orders, FISA demands/targets

0-249/0-249

0-249/0-249

n/a ****

* through August 15, 2014
** stands for “public-safety answering point” — such as 911 emergency call centers
*** per Justice Dept. requirements, only the range of FISA warrants can be issued
**** the last six months are not available as per the Justice Dept. delayed publication rule
Source: Neustar

The company disclosed, for the second time, its latest transparency figures. Burr said the company has seen a spike in lawful intercept requests since the five-year period ending 2011, thanks to the new business of a larger customer in 2011, which is not named as it was divulged off the record.

These lawful requests are authorized by a court, and can mandate a company to hand over the contents of emails and phone calls — including the time, date, and duration of calls, and the phone numbers themselves, though not the contents of the calls made.

Out of the 2,278 data requests Neustar processed in 2012, about 77 percent came from that one unnamed customer, and accounted for about 76 percent of all Neustar’s processed requests in 2013.

While the division also processes civil requests, and in rare cases handles emergency responses from law enforcement agencies — such as the immediate threat to property or life — it nonetheless handles a significant portion of its customers’ criminal requests.

Neustar’s figures show a spike in warrants since its first transparency report. The figures show that civil requests make up the bulk of Neustar’s fiduciary business, but criminal requests — including court orders and search warrants — make up about one-third of the overall requests.

As per reporting rules set out by the U.S. Department of Justice on disclosing FISA requests and National Security Letters (NSLs), which can be used to compel an ISP or phone company while gagging them from disclosing the fact, the last six-months worth of data is not available. Any requests prior to the six-month reporting rule are disclosed only a numerical range.

Although the range spans from zero, we know from Cbeyond’s case that at least one FISA warrant has been served.

The scope of other existing FISA orders are also shrouded in secrecy, along with the process by which these secret court orders are served on companies. Although U.S. residents are afforded legal protections to limit domestic government surveillance, the Obama administration has come under intense scrutiny for using secret interpretations of surveillance law to acquire Americans’ data.

The process by which FISA warrants are served on companies or individuals isn’t widely unknown, due to the restrictions on whom recipients can talk to.

In reality, it may not involve federal agents showing up at your door at all. It may be as routine as a phone call from an ISP’s third-party provider. That’s when the wiretapping can begin.

“Of what worth is our permission?”

Neustar will typically inform the ISP by phone that a warrant has been received. According to the former Neustar executive, the smaller the carrier, the greater chance Neustar’s staff will see such orders first — though, not in every case.

Despite their secrecy, what is known is that FISA warrants are generally targeted and individualized, but they can also be broad and wide-ranging. While the contents of the FISA warrant are classified, it will state the legal authority under which a wiretap can be placed.

When it’s the latter case, the law says multiple warrants can be served each year on a rolling basis to maintain fresh oversight by judges, or to form a new legal basis to acquire more data.

Companies like Neustar, Subsentio, and Yaana have staff with security clearance, allowing them to see, review, and execute the warrant.

If an order is not valid, or it has deficiencies such as inappropriate language, the third-party’s legal experts may outright reject the order — regardless of the type of order issued by the law enforcement agency.

“Every action Neustar took as an outsourced partner was really governed by the carriers’ policies and procedures,” the former Neustar executive explained. If an ISP or phone company was particularly conscious of its customers’ civil liberties, Neustar can adopt strict guidelines to meet those criteria. That said, if a customer is less than willing to uphold the rights — or was unable to pay to have the order challenged in court — Neustar may near-automatically accept each government data request.

“Of what worth is our permission when we don’t even know what we’re being asked to give access to?”
— Cbeyond senior staffer

The ISP remains informed along the way, and will be the final arbiter on whether or not a data request will be accepted or rejected — regardless of its policies in directing Neustar how to act.

Neustar, like other trusted third-parties, are granted full technical access to the network of its ISP customer, either by way of the company’s own wiretap equipment or technology provided by the trusted third-party. Then, Neustar will formally request permission from the ISP’s general counsel to execute the warrant. As often is the case, no information about the FISA request is given to the company.

“Of what worth is our permission when we don’t even know what we’re being asked to give access to?” a senior staffer at Cbeyond admitted.

Neustar can in many cases execute the warrant from anywhere within the U.S., keeping within the bounds of the country’s surveillance law. But when a wiretap device is needed, they are not hard to come by. Most networking equipment makers sell devices that can be used to collect data, or used to inspect data — so-called deep-packet inspection devices, which can also be used to prevent piracy, the spread of malware, and website access, all at the Internet provider level.

Once a FISA warrant is issued, so-called “tasking” orders, which contain selectors — like a phone number or an email address — are often sent electronically to the ISP. These tell the ISP or phone company, or third-parties like Neustar, exactly where to wiretap and what data to collect to hand back to the requesting authority.

By acting as middlemen, companies like Neustar, Subsentio, and Yaana often liaise with the targeted ISP or phone company, and the law enforcement agency to act as a channel in which intercepted data can flow.

For Cbeyond, the process is relatively straightforward — it’s out of sight and (almost) out of mind. But, that’s not the case for every ISP or phone company. Each company’s infrastructure has unique requirements.

FISA requests also come at a cost on two fronts for the ISP. Neustar’s services are held on retainer, with additional costs for each warrant.

Although financial arrangements were not disclosed between Cbeyond and Neustar, the ISP’s limited annual revenue and legal resources are a driving factor behind why it has not so far challenged a FISA warrant. But, Neustar will also work with U.S. law enforcement agencies to recover costs, which they are entitled to do under the law, for data requests.

Other companies work on a case-by-case basis, or charge a little more each year instead of taking on a retainer fee.

“Maybe we should be thinking about civil liberties more”

Data requests can be refused — it’s not often that it happens, but it does. For the third-party companies, their obligations are with their client and not the law enforcement agency.

But there are limits. If the ISP or phone company decides to fight a warrant, the third-party can stand back and wash its hands of it.

ooo

Burr said Neustar “has and will” reject subpoenas that are inadequate for one reason or another. But should its clients choose to fight a FISA warrant or court order it believes to be overboard, Neustar will not join the battle in court.

Other trusted third-parties take a similar approach.

“We’re out of the picture,” said Marcus Thomas, chief technology officer at Subsentio, another trusted third-party company, founded in 2004, and based out of Littleton, Colorado.

The company has “well over 100 customers,” and mostly focused on wireless carriers and cloud providers, Thomas said on the phone. Thomas is no stranger to this field. As a former FBI assistant director, he was responsible for the bureau’s lawful interception operations. He retired in 2011.

Thomas said that Subsentio, unlike Neustar, is not a formal “custodian of records,” but it interacts with both parties to ensure the correct records and the right amount of data is transferred from the company to the law enforcement agency. The company typically handles pen registers for real-time recording of phone numbers made from a particular line, full-content wiretap orders, and FISA warrants.

Subsentio provides more than simply the legal vetting procedures for determining whether a lawful intercept can go ahead. It’s not unusual for Subsentio to provide the actual wiretap device itself, should its customer need one.

“If they choose not to implement it, they don’t authorize use to implement it,” Thomas said.

Yaana operates under a similar regime. Founded in 2007 and based in the heart of Silicon Valley, it has “dozens” of companies out of the thousands of U.S.-based ISP and phone companies. The firm also serves companies operating with a foreign presence, and supports warrants from a number of European states. Yaana’s focus is compliance in the cloud, which — according to executive vice president for regulatory affairs and standards Tony Rutkowski — the vast majority of technology companies were “slowly but surely” moving towards.

Like Neustar, Yaana acts as legal agent to its corporate customers, Rutkowski said. Thanks to its in-house “rules-based reasoning engine,” law enforcement requests can be triaged and cleared, which are then accepted or rejected by on-call staff. For subpoenas, the system is straightforward and near-autonomous. For court orders under seal — of which many are — these require the direct approval from the ISP or phone provider.

“If they haven’t seen it, we won’t approve it,” Yaana’s chief technology officer David Grootwassink explained on the phone.

However, when handling FISA warrants, there “isn’t a lot of wiggle room” except to ensure that they are valid, Grootwassink said. The FISA warrant requires the approval of the ISP or phone provider to decide whether it will comply or not. Should a company wish to fight the order, the company will not step in to fight on behalf of or alongside its ISP or phone provider client.

“It’s the provider’s problem,” Rutkowski said. “The nice part about the trusted third-party business is that just from a liability standpoint, we don’t want to be left holding the bag here.” Grootwassink agreed. “We provide the gears. We don’t get involved in fights between the governments and our clients.”

Except, according to the numerous people spoken to for this article, many of the customers to these trusted third-party firms may not have the legal expertise or resources in the first place to develop policies that are fitting for the Internet and phone customers they serve.

Because Neustar, Subsentio, and Yaana act on behalf of their clients’ best wishes, their clients themselves may be the weakest link in the privacy chain. Many of the companies outsourcing their services to a trusted third-party may not have strong policies designed to first and foremost protect the civil liberties of their customers.

These policies dictate how the trusted third-party will respond to requests ahead of time, without having to face getting dragged into the minutia of each case.

Although some ISPs have wanted to fight tooth and nail, they have not had the money to hire a top-secret cleared attorney to argue their case. Instead, they have invoked their interpretation of the First Amendment — the right to free speech — to disclose that they have received a FISA warrant, despite the secrecy and gagging clauses that come with them.

“The nice part about the trusted third-party business is that just from a liability standpoint, we don’t want to be left holding the bag here.”
— Tony Rutkowski, Yaana

Others, like Cbeyond, “haven’t examined simply saying ‘no’ and challenging them,” said the person with direct knowledge of the warrants served on the ISP.

“What we’re doing is what the rest of the American public is doing,” the person said. “We’re trusting in some way that these [warrants] are being handled in a responsible fashion.”

Because of its business clientele, higher management was “not thinking about civil liberties issues,” noting that the company near-automatically approved all requests.

“We don’t have a department designed to resist unwarranted government intrusions or to even figure out if they’re unwarranted or not,” the person said.

The onus of responsibility is with business customers it serves, Cbeyond believes — which the people argued that they likely themselves still do not have the resources to deal with such warrants. The ISP is instead focused on fighting “incessant and unrelenting regulatory attacks” from its larger corporate rivals, one of the people said.

For the end customers or ISPs and phone companies, they are not made aware that their data is being collected. In many cases, a company’s chief executive is kept out of the loop.

U.S. surveillance law restricts who can be told about classified data requests. Although the law does not preclude a company’s chief executive from knowing, Cbeyond’s chief executive Jim Geiger said on the phone he would not be informed of the receipt of any FISA warrants, nor would he know about all of the subpoenas the company gets.

“It’s a wide burden for a chief executive’s involvement of things that would suck time and energy that aren’t necessary,” he said.

“We are not a regulated industry”

Cbeyond’s approach means Neustar will accept almost every government data request it receives on behalf of the ISP — so long as they pass Neustar’s own internal legal review.

In the relationship between ISPs and phone companies and these trusted third-parties, there are few — if any — sticking points. The ISPs devolve a portion of their responsibilities to the third-party, which generates a tidy sum for their services, and the law enforcement agencies receive the data they request.

But despite this data handover process, there remains little regulation or oversight of the trusted third-party industry.

Staff members at these companies hold U.S. security clearance and are therefore legally allowed to handle and remotely execute FISA warrants and directives. They fall within the realm of rules, protocols and laws that the U.S. intelligence community abides by.

But the vast majority of their work goes unsupervised by the government.

“Even though its sounds like [trusted third-parties] are regulated or licensed… the [legal] functions weren’t fully outsourced,” the former Neustar executive said. “You didn’t as a carrier turn over your responsibilities to someone who’s licensed to do those responsibilities. You hired competent staff on an outsourced basis to do your work, and it’s all governed by the policies of the carrier.”

“Everything was just an extension of the [carrier’s] work center,” they said. “Neustar wasn’t doing anything other than work for [its] carriers.”

Neustar says it reviews, validates, and keeps audit trails for its customers. Subsentio and Yaana also audit their activities for their customers’ benefit in order to make sure the companies are not conducting activities beyond their purview.

Thomas said trusted third-parties are “not a regulated industry” and that there is no external party reviewing such work. He said that the company does not undergo any audits that would examine how they do their jobs.

“We sort-of determine our own communication and security requirements,” Thomas said. The only exception is classified work, which he said is “reviewed” periodically by the company.

The only oversight, per se, is from the public. In the wake of the Snowden leaks, many companies have bowed to public pressure and released government data request figures. Cbeyond does not currently have a transparency report, and Geiger said the company has no plans to publish one any time soon. But a company’s size is no excuse for some. Like one Utah-based ISP XMission, which has a staff just shy of 50 employees and one attorney, the company regularly updates its transparency pages — even on one occasion disclosing it had received and fulfilled an FISA warrant for one individual’s data.

Cbeyond’s business clientele were a driving reason behind Birch Communications’ bid to acquire the ISP for $323 million, which closed on July 21. Birch is now said to comply with subpoenas and warrants in-house, ending the long-standing relationship with Neustar.

In June, one month before the deal closed, not knowing what changes the new regime would bring, the senior staffer at the ISP ended the conversation to go back to work.

“We’re not thinking about civil liberties issues. Maybe we should have been thinking about it more.”

The list contains 2.2 million names of high-risk individuals and organizations — including those thought to be involved in financial crime and terrorism.

NEW YORK – APRIL 17: The new logo of Thomson Reuters is seen on their Times Square building April 17, 2008 in New York. Thomson Reuters Corporation debuted on April 17 with a new logo as a global information company.

A database of heightened-risk individuals and organizations, some of which are thought to be involved in financial crime, corruption, and terrorism, has leaked.

The database dates back to mid-2014, and it contains names, dates, places of birth, and other sensitive information, which is collected from law enforcement records, political information, articles, blog posts, and social media, among other sources.

A smaller category of about 93,000 individuals thought to be involved in terrorism is also said to be in the database.

Access to the database is restricted to vetted individuals under strict European data protection laws.

A spokesperson for the company confirmed the security lapse has been plugged.

“Thomson Reuters was yesterday alerted to out-of-date information from the World-Check database that had been exposed by a third party. We are grateful to Chris Vickery for bringing this to our attention and immediately took steps to contact the third party responsible. As a result, we can confirm that the third party has taken down the information. We have also spoken to the third party to ensure there will be no repetition of this unacceptable incident,” said the spokesperson.

Many banks and law firms use the database to help “minimize … risk of complicity in terrorist financing or money laundering,” according to an investigation by Vice News.

Vickery has not yet publicly released the data, however, given its sensitivity.

The database contains profiles on millions of “heightened-risk individuals,” and is used by dozens of leading banks, governments, and spy agencies

Thomson Reuters building in Times Square, New York. (Image: file photo)

There is a private intelligence database, packed full of personal details of millions of “heightened-risk” individuals, which is secretly having a devastating effect on those who are on it. Most have no idea they’re under the watchful gaze of some of the world’s largest and most powerful organizations, governments, and intelligence agencies.

But for its worth and value, it wasn’t nearly kept secure enough.

A copy of the database, dating back to mid-2014, was found on an unsecured server hosted by a London-based compliance company, which specializes in “know your customer” profiling and anti-money laundering services.

Chris Vickery, a security researcher at MacKeeper, who found the database, told me that it was stored on a server configured for public access.

This influential yet entirely unregulated database called World-Check lists over 2.2 million corporations, charities, and individuals — some notable, like politicians and senior government officials — which might be connected to illegal activities, like sanctions, violations or financial mismanagement.

Some have been pinned under the database’s “terrorism” category, or are thought to be connected to financing violence.

This data could affect a person’s ability to be lent money by a bank, their employment opportunities, and even influence the people who do business with them — simply based on a designation.

Word of the database first widely emerged earlier this year when Vice News disclosed the existence of the project. It said the database was “secretly wielding power over the lives of millions” who are said to have “hidden risk,” such as those who are violating sanctions or have laundered money or a connection to criminals — which has been linked to account closures and bank blacklisting. As the news site pointed out, simply being a high-profile individual can label someone at risk of bribery.

The report said the database now has over 2.7 million entries — including over 93,000 records relating to those associated with terrorism.

No wonder it’s popular with law enforcement agencies and government departments, which subscribe to the database in an effort to uncover potentially improper conduct. Most of the world’s largest banks and law firms, and over 300 government and intelligence agencies are subscribers, according to a 2015 sales document from its owner, information and finance giant Thomson Reuters, which in 2011 bought the company for $530 million .

Because of the sensitivity of the data, access is limited to a few thousand customers, which have been carefully vetted and are bound by secrecy and non-disclosure agreements.

Vickery reported the leak to Thomson Reuters, but he still went public in an effort to spark a debate on whether these profiling databases are being run appropriately.

“If governments and banks are going to alter lives based upon information in a database like this, then there needs to be some sort of oversight,” he said in an email.

The problem is, there isn’t.

Vickery shared access to the database with ZDNet.

Each profile lists a person’s potential risks such as “narcotics” or “terrorism,” “organized crime,” or “politically exposed person.” Given the list’s potential power to alter a person’s opportunities, many would not approve of their name being on it.

Take one example. Maajid Nawaz ran for the British parliament as a Liberal Democrat in the last election, as profiled by Vice. He is a former member of the radical Islamic group Hizb ut-Tahrir, which calls for its own Islamic state. He was detained in Egypt for five years, but is best known for his publicized and well-documented transition away from radical views. He later set up a think-tank dedicated to challenging the extremist narrative, and advised former prime ministers from Tony Blair onwards on Islamic extremism. And yet, after looking up his profile on the World-Check database, created in 2002, it’s still maintained with a “terrorism” tag and updated as recently as August 2013, despite “no further information recorded,” let alone any connection to extremists or terrorists.

It’s not just individuals who are designated as affiliates with terrorism, despite equally publicly available data to suggest the contrary.

A BBC investigation last year showed the process behind banking giant HSBC’s bid to shut down accounts associated with several prominent British Muslims. A mosque in North London was given a “terrorism” label, despite new management that was installed more than a decade ago.

Other names in the database include diplomats and ambassadors, and senior ranking officials associated with global financial institutes, such as the World Bank, as was previously reported.

Based on how profiles are built, potentially anyone with an internet footprint could be included.

Much of the data comes from law enforcement sources, political information, articles, blog posts, and social media, among other sources. From the records we looked at, the data would often contain names, locations, and dates of birth and details of education. but also in some cases social security numbers, and citizenship and passport numbers were included.

The profiles themselves often have little or no justification for the entry. From our searches, we found high ranking global government officials who were named in the files yet there was no visible or clear justification for why they were there. In most cases there were just a handful of external links to publicly available documents, like speeches, election results or pages linking to official government websites for justification of their presence.

Many of the “reports” list a person’s risk as “to be determined,” suggesting there were no improprieties, illegal activities, or even an apparent reason for a profile, except for their status as a public figure.

The database we examined is two years old, and the records may have changed since, however.

A spokesperson for Thomson Reuters didn’t specifically respond to a question in relation to how profiles are built, vetted, or designated, but pointed me to the World Check privacy policy, which reiterates its effort to get data based on information in the public domain.

This entire market of “know your customer” and profiling remains unregulated and ungoverned — despite being used by some of the most powerful countries and organizations today. This industry is growing at a rapid rate — some say by over $30 billion by the start of the next decade. Even though the service has to stand up to strict European and UK data protection rules, a lack of public scrutiny and accountability makes that task almost impossible.

Those who are named in the database have little or no recourse to have their data corrected or removed.

In Nawaz’s case, Thomson Reuters reportedly removed his profile earlier this year. But given that the contents of the database are shrouded in secrecy, not everyone will have the same luck, let alone know they’re on a database in the first place.